BEING 
ПОХХЕО: 


WHAT TO DO TO HELP 
KEEP EACH OTHER SAFE 


The alt-right has gotten hold of some of our online ac- 
counts. With this information they are creating imposter 
accounts in order to harass, phish, and dox us. They are 
sharing our personal photos along with addresses and 
phone numbers to encourage further harassment. Their 
efforts have been far reaching and are expanding. Now 
is а crucial time for us to take our data security serious- 
ly and review our practices. We particularly encourage 
those of us who may feel off the radar to examine secu- 
rity practices, as we have seen a willingness to target less 
visible or publicly active friends both for harassment 
and for information mining. Individual security is about 
keeping all of us safe. 


No tool can save you from your behavior. We empha- 
size good practices over encouraging use of apps and 
programs. The internet is an incredibly volatile place 
and it’s important we have a critical and suspicious eye 
when thinking about how we exist online. We encourage 
you to walk through your online presence as an adver- 
sary, see what could be exploitable. Take steps to protect 
yourself from anyone gaining access or control of your 
accounts, but first weigh the risks of having your data 
compromised versus the utility its online access gives 
you. We've resisted and existed for centuries without the 
technology currently used, make sure only things you 
want to be online are online. 


This is not meant to be wholly comprehensive. Lots of 
this advice will not protect you from adversaries that 
have wide-spread access and advanced tools. We suggest 
you address these immediate concerns, yet continue to 
strengthen your digital self-defense. 
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FOR AN EXTENDED LIST OF RESOURCES AND 
GUIDES ON HOW TO IMPLEMENT SOME OF THE 
PRACTICES RECOMMENDED, CHECK OUT: 


DIGITALDEFENSE.NOBLOGS.ORG 


LOOK OUT FOR PATTERNS 

If something doesnt feel right, take the time to figure it out. 
Take the time to verify identities. There are many ways to do 
this, in person being by far the best, but talking with your voic- 
es on the phone or a short face-time/video-call can be used to 
confirm the identity of who youre interacting with. Be critical 
when people get new numbers or contact you from accounts 
youre not familiar with (our forgotten old accounts can some- 
times be revived by an attacker). Weve seen attackers simulate 
crisis in order to get information quickly. We've seen attackers 
overstate when attempting to gain trust, your friends arent 
often going to list five reasons they are themselves (especially 
when a quick call will do). If something isnt comfortable, don't 
do it. 


SCRUTINY 

Attackers have many ways of gaining access to your accounts 
and information. Often times they'll hide malware inside а 
seemingly innocuous link. As good practice, don't click on links 
but type in the address instead. Don't be curious without mak- 
ing sure youre safe. When browsing websites, sensitive infor- 
mation could be leaked just by visiting. There are plenty of tools 
out there to help you; using the TOR browser or a VPN (such 
as Private Internet Access) can assist you with some aspects of 
your security, but take some time to learn their limitations. If 
you have a tech-savvy friend, ask them to attempt to dox you in 
order to patch holes in your security. 


Visit ssd.eff.org and explore their interactive website. More 
than anything, take your online presence seriously. No one is 
perfectly secure, but we can all be patching the holes in our col- 
lective security. This current iteration of threats is about our 
connections to each other, so even if you dont feel youre an at 
risk person one small weak spot makes a huge mess for all of us. 
Be critical and scrutinize. Trust, but verify. 
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HERE'S A SHORT LIST OF ACTIONS YOU 
CAN DO TO PROTECT YOURSELF FROM 
SOME OF THE EXACT PROBLEMS МЕ МЕ 
RECENTLY FACED. IT REALLY MATTERS. 


- GET OFF SOCIAL MEDIA IF YOU CAN. IF NOT, KEEP 
OUR FACES OFF OF IT. 


- DON'T LET ACCOUNTS LINGER. LOCK DOWN ANY 
ACCOUNT YOU OWN, OR MAKE SURE THEY ‘RE DE- 
LETED IN THOROUGH AND SAFE WAY. 


- DON’T RE-USE PASSWORDS. USE А SIX WORD 
PASSPHRASE AT A MINIMUM FOR EACH ACCOUNT. 


- KNOW THAT YOUR SMARTPHONES ARE CON- 
STANTLY COLLECTING YOUR DATA AND SYNCING 
IT TO THE CLOUD AND/OR GOOGLE DRIVE. 


- KEEP YOUR ACCOUNTS CLEAN OF CONTACTS, 
PHOTOS AND OLD EMAILS. ONLY HAVE THINGS 
ONLINE THAT YOU NEED TO HAVE ONLINE. 


- ERR ON THE SIDE OF CAUTION. ASK FOR VOICE 
OR VIDEO CONFIRMATION IF DEALING WITH A 
CONFUSING OR SUSPICIOUS CONTACT. 


SOCIAL MEDIA 

As our adversaries learn our identities and map our relation- 
ships we've seen an increasing amount of impersonations and 
“phishing” (attempts at luring people into giving more informa- 
tion). One way to start our defense is to limit the access to map- 
ping in the first place. Take a critical eye to your social media 
accounts and make them private. Look at who youre following 
and whos following you. Verify new accounts, as many fake 
accounts are created to monitor or impersonate your friends 
and comrades. If you know of a fake or harassing account, doc- 
ument it and report it. Take down identifying pictures and be 
thoughtful of the social web youre advertising. If you choose 
to delete any account, learn about how it may be recovered, 
as our attackers have reactivated and thereby controlled ac- 
counts. Think back to every online account you've had, go back 
and lock them down with secure passphrases and two-factor 
authentication (when possible). 


GOOGLE, ACCOUNTS AND EMAIL 

With a few notable exceptions, your accounts are collecting 
and storing large amounts of information on you. These ac- 
counts allow you some say on what and how this is stored, 
and it’s highly suggested you personalize your account to be 
relevant to your concerns. For instance, Android phones sync 
your contacts with Google/Gmail to make everything more ac- 
cessible to you. If someone were to gain access to your account 
and therefore contacts, they could learn names, numbers, and 
emails for people they could be interested in as well as a list of 
people to try to harass, hack, or phish for other information. 
With enough opportunities and practice there stands a good 
chance that someone could get the information they need or 
cause the damage they desire. 


Delete all the information you weigh as risky, and be critical. 
Your archive of emails is a treasure trove of personal informa- 
tion, delete all the emails you dont need to hold on to. If you 
want to keep some, but don't want them to be accessible from 
your account, get them offline (print them, to PDF or paper). Re- 
member, most services just move items to a Trash folder when 
you delete them, make sure to clear it. Look at your recovery 
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options. Security questions can be easily guessed depending 
on how much information someone has on you; make your an- 
swers nonsensical passphrases or don't use security questions 
at all. Don't let everything rest on а central account, this pro- 
vides an option where if an attacker gains access to one of your 
accounts they can gain access to many (Google allows you to log 
into everything with one account, you can see how risky this 
would be once an attacker gains access to that one account). 
“Forget your password” and see what vulnerabilities exist to 
someone attempting to get yours. 


PASSPHRASES 

Currently the recommended advice is to have a passphrase of 
at least six randomly selected words in sequence. While a short- 
er passphrase with symbols and seemingly random characters 
is very hard to remember, it’s not an effective barrier to most 
programs that are used to crack passphrases. If remember- 
ing decent passphrases for all your accounts seems daunting, 
consider using a password manager (like KeePassXC). Don't re- 
use passphrases, an account with low security using the same 
passphrase as Say, your online banking, creates an obvious and 
easily exploitable breach in security. Change them frequently, 
set time aside to re-up your security with regularity. When ap- 
plicable use two-factor authentication/Vverification and opt for 
methods that aren't easily bypassed (such as choosing to use an 
offline app over sending a text to a phone i.e. Google Authenti- 
cator). 


https://ssd.eff.org/en/module/animated-over- 
view-how-make-super-secure-password-using-dice 


RECORD EVERYTHING 

So much of data is ephemeral, especially if you lose access to 
your accounts. Print (to PDF) emails or screenshot conversa- 
tions you consider suspicious. The same goes for if youre con- 
tacted by a potential attacker. These instances can serve as ex- 
amples of things to look out for, and could come in handy if you 
need evidence to get an account shut down, pursue a lawsuit, or 
regain control of your account. 
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